google_cloud_asset_organization_feed (Terraform)

The Organization Feed in Cloud Asset Inventory can be configured in Terraform with the resource name google_cloud_asset_organization_feed. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

BrunoReboul/terraform-google-realtime-asset-monitor

resource "google_cloud_asset_organization_feed" "feed_iam_policy_org" {
  for_each        = var.feed_iam_policy_orgs
  billing_project = var.project_id
  org_id          = each.key
  feed_id         = "ram-iam-policy"
  content_type    = "IAM_POLICY"

niveklabs/google

resource "google_cloud_asset_organization_feed" "this" {
  asset_names     = var.asset_names
  asset_types     = var.asset_types
  billing_project = var.billing_project
  content_type    = var.content_type
  feed_id         = var.feed_id

Parameters

• asset_names optional - list of string

A list of the full names of the assets to receive updates. You must specify either or both of assetNames and assetTypes. Only asset updates matching specified assetNames and assetTypes are exported to the feed. For example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See https://cloud.google.com/apis/design/resourceNames#fullResourceName for more info.

• asset_types optional - list of string

A list of types of the assets to receive updates. You must specify either or both of assetNames and assetTypes. Only asset updates matching specified assetNames and assetTypes are exported to the feed. For example: "compute.googleapis.com/Disk" See https://cloud.google.com/asset-inventory/docs/supported-asset-types for a list of all supported asset types.

• billing_project required - string

The project whose identity will be used when sending messages to the destination pubsub topic. It also specifies the project for API enablement check, quota, and billing.

• content_type optional - string

Asset content type. If not specified, no content but the asset name and type will be returned. Possible values: ["CONTENT_TYPE_UNSPECIFIED", "RESOURCE", "IAM_POLICY", "ORG_POLICY", "ACCESS_POLICY"]

• feed_id required - string

This is the client-assigned asset feed identifier and it needs to be unique under a specific parent.

• id optional computed - string
• name optional computed - string

The format will be organizations/[organization_number]/feeds/[client-assigned_feed_identifier].

• org_id required - string

The organization this feed should be created in.

• condition list block
  • description optional - string

  Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • expression required - string

  Textual representation of an expression in Common Expression Language syntax.

  • location optional - string

  String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

  • title optional - string

  Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

• feed_output_config list block
  • pubsub_destination list block
    • topic required - string

    Destination on Cloud Pubsub topic.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

Describes a Cloud Asset Inventory feed used to to listen to asset updates. To get more information about OrganizationFeed, see:

• API documentation
• How-to Guides
  • Official Documentation resource "google_cloud_asset_organization_feed" "organization_feed" { billing_project = "my-project-name" org_id = "123456789" feed_id = "network-updates" content_type = "RESOURCE" asset_types = [

    "compute.googleapis.com/Subnetwork", "compute.googleapis.com/Network", ] feed_output_config { pubsub_destination { topic = google_pubsub_topic.feed_output.id } } condition { expression = <<-EOT !temporal_asset.deleted && temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.DOES_NOT_EXIST EOT title = "created" description = "Send notifications on creation events" }

  Wait for the permission to be ready on the destination topic.

  depends_on = [

  google_pubsub_topic_iam_member.cloud_asset_writer, ] } resource "google_pubsub_topic" "feed_output" { project = "my-project-name" name = "network-updates" } data "google_project" "project" { project_id = "my-project-name" } resource "google_pubsub_topic_iam_member" "cloud_asset_writer" { project = "my-project-name" topic = google_pubsub_topic.feed_output.id role = "roles/pubsub.publisher" member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloudasset.iam.gserviceaccount.com" }